Microsoft’s serious commitment to security

In many recent interviews Microsoft has vowed their firm commitment to security all the wile demonstrating the exact opposite.

Case in point: On December 28th US-CERT issued security advisory VU#181038 pertaining to all versions of Microsoft operating systems. This is a 0-day vulnerability.

We all know that US-CERT generally issues advisories (at least) a few days after the initial discovery. In this case the vulnerability and corresponding incidents where first discovered on December 27th according to McAfee.

Upon examining the Microsoft security bulletin 912840 associated with this vulnerability you will notice that it was Published December 28th. The same day as the US-CERT announcement and one day after its initial discovery. A serious vulnerability that effects ALL versions of the number one most used operating system in the world, and they wait a day to even post an advisory on their web site?

Even this isn’t what bothers me the most. What really got me was when I visited Microsoft.com trying t to find more information. At current they have a giant flash animation (it takes up about 75% of the page) that contains a sun flower set against the recognizable windows “blue sky, green grass” backdrop wearing sunglasses with the heading “start having fun”. So this vulnerability isn’t being displayed prominently. Lets look closer at the front page and see if we can find a link to information on this vulnerability. Look all you want, its not there. No mention on the home page at all.

So lets click on security. Its sure to be listed there. Once again, look all you like. You won’t find it.

No patch exists, it results in a remote code execution on a fully patched Windows XP, 2003 server, etc and Microsoft makes no mention of it on both their home page and their security page.

I think its time Microsoft stop jawing about this commitment to security and start demonstrating it.

Common Criteria and windows

It was just announced that MS Windows XP SP2 and 2k3 server have been accredited with the Common Criteria evaluation level 4+.

For those of you who don ‘t know, the common criteria is an ISO standard that was created to provide a common way of evaluating and rating security. It combines the USs old Orange Book evaluation with the DoD ‘s redbook and the Canadian CTCPEC and the EUs ITSEC. It has 7 Evaluation Levels of Assurance (EALs) 1 being the lowest and 7 being the highest.

Now here is ware things start to get shaky. Windows has achieved 4+. Novell has had 4+ for Open Enterprise server for some time and it appears that Suse and RedHat are both going for evaluations and will likely achieve 4+.

The reason for this is that 4+ is the highest level of accreditation that a commercial product can hope to achieve. It is this fact that makes me believe the Common Criteria is doing a disservice to the security community.

I find it hard to believe that additional security can not be added to windows, that it can ‘t be more secure than it is now. But yet we have hit a wall with the CC. What motivation does Microsoft or others have to improve on their security if they are already accredited at the highest possible level?

Sony

What kind of security related blog would I run without making mention of the Sony DRM fiasco?

I do not think they could have screwed up more if they tried.
1. Hired incompetent coders to write drm software
2. Allow coders to steel code from open source projects without code over sight (and oh the hypocrisy)
3. Stick it on tons of CDs and allow it to use root-kit like cloaking to hide it.
4. When people find out make them jump through hoops and install an active-x component in order to get it uninstalled. Dont forget that the uninstall itself produces instability.
4. Post this and make it sound like you are blaming the authors.
5. Say lines like “Ultimately, the experience of consumers is our primary concern…” when the fact this whole mess exists to begin with is proof of the contrary.

All and all I think this was one of the best things that could happen. I don ‘t think the general consumer was angry enough about DRM to make any real changes. This certainly tipped those scales and I thank Sony for that. I believe the freedom that they and RIAA and MPAA enjoy will be greatly reduced or at least closely watched now.

Even if our corporations and government that is responsible for overseeing them is corrupt doesn’t mean we can ‘t still be heard.